Responding to Privacy Breaches

 

We are increasingly familiar with our TV screens and column inches being dedicated to stories concerning privacy breaches. These can occur by way of deliberate acts, human error or flawed systems and their impact can range from the minor to the very serious.

Examples of data breaches include:

  • When an employee takes paper records, an unencrypted USB stick or laptop out of the office and the information is lost or stolen.
  • When an organisation mistakenly provides personal information to the wrong person.
  • When an organisation’s database is illegally accessed by staff members or by individuals outside of the organisation.

Of course, organisations are required to take reasonable steps to protect the personal information that they hold, and good privacy practices can greatly reduce the chance of a privacy breach occurring. However, there is always a chance that things can go wrong, and when a privacy breach does occur, it is essential that organisations are able to respond appropriately and effectively.

Although it is not compulsory to report privacy breaches to OVIC, we strongly encourage organisations to do so. This is primarily so that we can engage with organisations and assist them with their management of the incident, with a view towards minimising the risk of harm to affected individuals and identifying practical options for improving information handling practices going forward.

What to do when you have a privacy breach

There are four key steps to shape your response to a privacy breach (or suspected breach):

  1.  Contain the breach and conduct a preliminary assessment
  2.  Evaluate the risks associated with the breach
  3.  Remediate and notify (and other steps to mitigate harm)
  4.  Review the cause of the breach and your organisation’s response and take steps to improve practices and lessen the likelihood of future breaches.

You can find our Responding to Privacy Breaches Guidelines and Responding to Privacy Breaches Checklist (produced by our predecessor, the Office of the Victorian Privacy Commissioner) in the privacy resources section of our website.

Our federal counterpart, the Office of the Australian Information Commissioner also has some helpful information on breach management here.

You can also contact OVIC for guidance on breach management (see below).

Reporting a privacy breach to OVIC

There is no required form or format for notification to OVIC of a privacy breach. Reporting can simply take the form of a phone call in the first instance in order to discuss what has occurred and the considerations that should be taken into account in dealing with the breach. This may be followed by ongoing liaison in relation to management of the breach whilst organisations may also wish to submit a report after the matter has concluded in order to receive written feedback from OVIC.

It’s fine if you don’t have all the details yet, but when you contact us we’ll likely ask you for some information about the breach:

  • Some details about what has happened, the kind of information that was exposed, and the people that have been affected.
  • Information about what your organisation is doing to manage the breach, including whether the breach has been contained and/or the information recovered, and whether you are planning on contacting the affected individuals.
  • The contact person within your organisation to whom we can refer enquiries from the public relating to the breach.

After an initial discussion with OVIC, you can also submit a report to us for feedback if you would like to review your organisation’s breach response.

Why should my organisation report a privacy breach to OVIC?

Reporting breaches to OVIC is voluntary but strongly recommended for a number of reasons:

  • OVIC can provide guidance to your organisation on how to best mitigate the risks from a data breach.
  • Reporting allows OVIC to respond more effectively to enquiries from individuals who may have been affected, and to refer enquiries relating to the incident to the relevant contact person within your organisation.
  • OVIC can provide some independent assurance about the appropriateness of your organisation’s response. However, it is important to note that OVIC cannot provide a binding ruling to this effect, and OVIC’s assessment of your response will not preclude an individual from making a privacy complaint to our office.
  • In many cases, reporting is a ‘reasonable step’ to prevent misuse of personal information as required by Information Privacy Principle 4.
  • OVIC can assist your organisation to develop data breach response plans to help manage the risk of future breaches.

Where to get help

If your organisation has had a privacy breach, you can contact OVIC for guidance on breach management:

Phone: 1300 00 6842 (1300 00 OVIC)

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Remember, you don’t have to wait for a privacy breach to contact us. We can assist your organisation with general guidance on the Information Privacy Principles and with the planning for projects that will potentially have privacy impacts.